Cheat Engine

[XaneXXXX]

So i have this opcode that controls the time of day. It's in float and i don't have the pc on right now so let's say the code is

movss [rbx+7363666],xmm6

That opcode only controls ONE address. I want to make a script so that i can increase/decrease time of day by an hour. Can i somehow get the address out of the opcode?

I know how to do this with address aob only, and not the opcode itself.

Any tips?

[Zanzer]

Open Memory Viewer and just type that instruction in.
It'll produce the correct bytes for you.
From there, you can fill in the Writable checkbox (not checked, not unchecked).
Then search that array of bytes and hopefully not too many addresses pop up.

[XaneXXXX]

[Zanzer]

When you're in memory viewer, just select some random instruction and type:
movss [rbx+07363666],xmm6
Insert the single assembly instruction just to see what bytes it uses.
Then fill in the search criteria for those bytes as shown in the screenshot.

[XaneXXXX]

[Zanzer]

Can use injection to pull the address out when that instruction executes.
Can now use the pointer 'time_ptr' in your table.

[XaneXXXX]

[Zanzer]

I'm surprised it didn't cause you to immediately crash.
You're pushing RBP but then popping it into RBX, corrupting the registers.

The "db 48 81 C3" prepares the code "add rbx,____"
The "readmem(time+4,4)" copies the last 4 bytes (the offset), completing the above as "add rbx,ED0"

I had RBX because your original example stated RBX. However, you need RBP.
So change it to "db 48 81 C5" instead.
And fix that last POP to read "pop rbp".

[XaneXXXX]

My bad hehe, I corrected all the mistakes but it still shows the wrong value when I'm adding the address.

Do you have any idea what it could be?

I'm guessing that it has something to do that the offset is wrong

Thanks!



When i follow the code in memory:



Looks like time_ptr is in the wrong place?

[Zanzer]

Did you declare the table pointer as shown?
Did you go back in game to let it execute the instruction as it normally would?
Just saw that ADD RBP line... looks like the offset to the READMEM was off?

[XaneXXXX]

Yep.



That's with the script on!

UPDATE: It works!! But the game crashes as soon as the right address shows up

I made a mistake in the script. Everything works now! Thank you very much.

One more question, what does the "dq 0" do? I'm guessing it stands for define qword?

Update again: It kind of works, The problem is that the script also FREEZES the time, the address won't update

[Zanzer]

I only promised to get you the address. You're on your own with the crashing!
Did you try again after a fresh game load? Maybe all of those enables/disables corrupted something?

edit: Oh, you got it working. Great!
Yes, DQ reserves 8-bytes below your code to be used as though it was an 8-byte variable named time_ptr.

edit2: Woops, you forgot to include the original code!

[XaneXXXX]

[XaneXXXX]

Hello again! I was just wondering real fast, Why did you write

"readmem(time+4,4)" in the script? I mean,

Where did you get the numbers from? From what i can see, +4 = offset, and then you move the value of 4 into it or something haha.

These are commands I've never used before myself so I'm a little bit confused.

Then you said that i forget to add the originalcode:
movss [rbp+00000ED0],xmm6

But you told me to write:

[Zanzer]

READMEM takes an address as the first parameter and a length as the second.
It will read those bytes into the CE script at the location it appears.

First, we defined the address "time" using:
aobscanmodule(time,mgsvtpp.exe,F3 0F 11 B5 D0 0E 00 00)

This positions the label right over the instruction:
F3 0F 11 B5 D0 0E 00 00 - movss [rbp+ED0],xmm6

So time+4 positions us over the above bytes used to define the offset (D0 0E 00 00).
The length of 4 tells CE to copy those 4 bytes directly into the code at the time.
Since we had the DB statement prior, that makes CE insert the following:
48 81 C3 D0 0E 00 00 - add rbx,ED0

The first READMEM points us directly on the "time" address and simply reads the 8 bytes (original code):
F3 0F 11 B5 D0 0E 00 00 - movss [rbp+ED0],xmm6

So those 8 bytes are copied into the script at that location.

Now none of your code really cares what the offset is because it is copied on activation.
I would normally take this one step further and make the AOB scan ignore the offset as well.
aobscanmodule(time,mgsvtpp.exe,F3 0F 11 B5 * * * * {more to make it unique})